Destination Static NATting

From: Maenard Martinez (TS-PH) (Maenard_martinez@support.trendmicro.com)
Date: 08/19/02 

From: "Maenard Martinez (TS-PH)" <Maenard_martinez@support.trendmicro.com>
To: security-basics@securityfocus.com
Date: Mon, 19 Aug 2002 12:03:00 +0800

Hi!

I have a lab wherein I am simulating the setup below:

Objective: Let external IPs (172.16.0.0/16) connect to the Internet services
on the 10.0.0.0/8 network

FTP/SMTP/HTTP [10.0.0.4] --------- [10.0.0.1] FW-1 SP1
[172.16.3.20/172.16.30.20] -------------- External

The 10.0.0.4 hosts the internet services, and its gateway is 10.0.0.1. Two
valid (logically) IP addresses are bound that will act as external IP
addresses (FW-1 has only 1 NIC and I did an IP aliasing to simulate multiple
NICs.

I did the following already on the Policy:

SOURCE DESTINATION SERVICE ACTION
Any 172.16.30.20 FTP/HTTP/SMTP Accept

For the NAT, I have these:

                [ORIGINAL PACKET] [TRANSLATED PACKET]
SOURCE DESTINATION SERVICE SOURCE DESTINATION
SERVICE
Any 172.16.30.20 Any Orig 10.0.0.4
Orig

I also retrieved the MAC address of the NIC of the FW-1 and added it on the
local.arp and installed the policy. On the article from PhoneBoy, it
mentioned the IP spoofing configuration. I am not familiar with the said
configuration?

After following the steps (except for the IP spoofing), it still doesn't
work. According to the log, the traffic from the external is being accepted
by 172.16.30.20, but that's it; there's no indication that the traffic is
being forwarded or translated to 10.0.0.4 Am I missing something?

Any feedback is highly appreciated.

Thanks,
Leo

Quantcast